Case Comment: Maximillian Schrems v Data Protection Commissioner

Comparing the mass surveillance under the Commission’s US Safe Harbour Decision to the world of financial misconduct, Max Schrems said: “It’s like with the banking crisis, there was outrage and then we all kept on walking by. Letters went sent, words were said. The usual drill. But there was not really any change.” The young Austrian law student’s successful campaign, funded through small donations totalling €65,000, to close the legal loophole that allowed US corporations to circumvent EU law caused quite a stir because the CJEU declared the Commission’s US Safe Harbour arrangement invalid. The Grand Chamber held that because of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union (CFR), Commission Decision 2000/520/EC did not prevent Ireland’s supervisory authority from examining the claim made by Schrems (who was concerned about the protection of his rights and freedoms) in regard to the processing of personal data relating to him which had been relayed from Ireland to the US (a third country) when he contended that the law and practices in force in the third country did not ensure an adequate level of protection. Commission Decision 2000/520/EC was adopted under Article 25(6) of Directive 95/46/EC, or the Data Protection Directive, and through it the European Commission deemed the US to provide adequate protection.

The CJEU was unimpressed with the attitude of the Ireland’s Data Protection Commissioner (DPC) who refused to investigate a complaint made by Schrems regarding Facebook Ireland Ltd transferring the personal data of its users to the US to keep it on servers located there. The ruling brought an end to more than 4,400 US firms – including Amazon, Apple, Facebook and Google – easily transferring European customers’ details abroad under the 15-year old agreement which was seen by many in the industry as a get out of jail free card. The scrapping of the pact, which purported to have an overriding effect over the scrutiny of national regulators (who must protect data moved by a company to a foreign server), sparked outrage in America and the Obama administration was “deeply disappointed” by the ruling. Overall, the decision tends to be seen as protectionist and anti-business in America. It also crystallised growing suspicion of US firms, Safe Harbour’s main beneficiaries, in the aftermath of Edward Snowden’s disclosures about the scale of the American government’s digital espionage programmes.

Snowden tweeted “Congratulations, @MaxSchrems. You’ve changed the world for the better” after the CJEU judgment. But Schrems expressed reservations about his future role as an activist by explaining: “I do not feel that this is the thing I want to do for the rest of my life.” Yet the Austrian was delighted by the result and in the aftermath of the David and Goliath like battle he said: “Most people think you can’t take on the big companies. But they didn’t have the law on their side.” Of course, the decision is ammunition for the Commission and only strengths future demands for more concessions by the US as regards the manner in which American intelligence agencies would access data relating to Union citizens for national security purposes.

Overview

Under the Data Protection Directive, personal data may, in principle, only be transferred to third country ensuring an adequate level of data protection. Moreover, the directive gave the Commission or Member States discretion to find that a third country ensured an adequate level of protection under its domestic law or its international commitments. Furthermore, each Member State needs to designate one or more public authorities (“national supervisory authorities”) charged with monitoring the application of the directive within its territory of the national provisions giving effect to the directive. It was held that where there is a Commission decision in this regard, national authorities are unable to give a contrary decision and must refer the matter onwards as only the CJEU could deliberate over a Commission decision’s validity.

Schrems, who joined Facebook in 2008, was unhappy that as a European subscriber the data he provided was relayed from Facebook’s Irish subsidiary to servers in the US to be processed. Driven by disclosures made by former National Security Agency (NSA) contractor Edward Snowden – that the intelligence agencies retain a free hand in surveillance activities with the result that American law and practice provide inadequate protection of the data transferred to the US – Schrems was aggrieved by the way his data was being transferred from Europe to America. Official responses to Snowden did not satisfy the privacy campaigner and he took up the cause of pursuing the present proceedings. He challenged Safe Harbour on the ground that the mass surveillance of the personal data transferred to the US shows that there is no meaningful protection of that data in the law and practice in force there.

He complained to the DPC that in light of the Snowden disclosures that US law and practice were insufficient to protect data transferred against surveillance by American public authorities. Rejecting the complaint as unfounded and “frivolous”, the DPC found that – within the meaning of the Safe Harbour scheme – the US provided an adequate level of protection of the personal data transferred. Subsequently, the High Court of Ireland, the referring court where the dispute in the main proceedings had been litigated, asked for the CJEU’s views on whether the Commission decision prevented a national supervisory authority from entertaining a complaint founded on allegations that the third country fails to ensure an adequate level of protection and, where suitable, from suspending the challenged transfer of data.

In his opinion of 23 September 2015, Advocate General Yves Bot said at para 155 that in this request for a preliminary ruling, the referring court proceeds on the basis of the following two findings of fact:

First, personal data transferred by undertakings such as Facebook Ireland to their parent company established in the US is then capable of being accessed by the NSA and by other US security agencies in the course of a mass and indiscriminate surveillance and interception of such data. Indeed, in the wake of Edward Snowden’s revelations, the evidence now available would admit of no other realistic conclusion.

Second, citizens of the Union have no effective right to be heard on the question of the surveillance and interception of their data by the NSA and other US security agencies.

The CJEU seemed to have been pleased with the Advocate General’s treatment of the issues in the case and repeatedly endorsed his findings at paras 53, 67, 72, 73, 77 and 89 of its judgment. Like him, the CJEU’s ruling is grounded in the powers and independence of national authorities which are expressly mentioned in the CFR. The ruling is seen as “the end of the global internet” and a “balkanisation” of cyberspace.

The Court of Justice

The CJEU responded that the existence of Decision 2000/520/EC finding a third country ensures an adequate level of protection of the personal data transferred cannot eliminate or even reduce the powers available to the national supervisory authorities under the CFR and the directive. It also emphasised that the CFR guarantees the protection of personal data and the task with which the national supervisory authorities are entrusted. Transfers of personal data to third countries which have been the subject of a Commission decision were not covered by any provision of the directive so as prevent national supervisory authorities’ oversight. As a result, regardless of the Commission adopting the decision, when dealing with a claim national supervisory authorities must be able to examine, with complete independence, whether the transfer of a person’s data to a third country complies with the requirements created by the directive.

Reiterating earlier case law such as Melki and Abdeli, C‑188/10 and C‑189/10, EU:C:2010:363 and CIVAD, C‑533/10, EU:C:2012:347, the court reminded everyone at para 61 that it alone has jurisdiction to declare that an EU act, such as the Commission decision in question, is invalid. It was also said that national courts may consider the validity of an EU act but in light of cases such as Foto-Frost, 314/85, EU:C:1987:452 and IATA and ELFAA, C‑344/04, EU:C:2006:10 they may not declare such an act invalid.

The CJEU urged national authorities to examine “with all due diligence” claims connected to the protection of the privacy and to the fundamental rights and freedoms of individuals but concluded that only it could decide whether or not a Commission decision is invalid. It said that para 76 that because the degree of protection ensured by a third country is liable to change, after a decision has been adopted by the Commission pursuant to Article 25(6) of Directive 95/46, the Commission must periodically check whether the finding relating to the adequacy of the level of protection ensured by the third country in question is still factually and legally justified. The CJEU explained that a check of this nature is needed “in any event, when evidence gives rise to a doubt in that regard.”

As regards Safe Harbour, the court was of the view that it was obligatory on the Commission to find that the US really ensures either under domestic or international law that the level of protection of fundamental rights essentially matches the standard guaranteed within the EU under the directive read in the light of the CFR. However, the Commission did not bother to make a finding of this nature and merely examined the Safe Harbour scheme. It was apparent to the court at para 82 that the scheme is applicable solely to the US undertakings which adhere to it and US public authorities are not themselves subject to it. Noting that national security, public interest and law enforcement requirements of the US prevail over the Safe Harbour scheme the CJEU held:

86. Thus, Decision 2000/520 lays down that ‘national security, public interest, or law enforcement requirements’ have primacy over the safe harbour principles, primacy pursuant to which self-certified United States organisations receiving personal data from the European Union are bound to disregard those principles without limitation where they conflict with those requirements and therefore prove incompatible with them.

Citing the principle in Digital Rights Ireland and Others, C‑293/12 and C‑594/12, EU:C:2014:238 – that to establish the existence of an interference with the fundamental right to respect for private life, it does not matter whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference – the CJEU held at para 87 that Decision 2000/520 thus facilitates interference, on national security and public interest grounds or on domestic legislation of the US, with the fundamental rights of the persons whose personal data is or could be transferred from the EU to the US.

It was clear to the court at para 90 that such an analysis of the scheme is mirrored in the Commission’s Communication COM(2013) 846 and Communication COM(2013) 847 where it observed that US authorities could access the personal data transferred from the EU to the US and process it in a way incompatible with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security. Equally, it was clear that the persons concerned had no administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.

On the issue of the level of protection of fundamental rights and freedoms that is guaranteed within the EU, following the decision in Digital Rights Ireland and Others in relation to the validity of the EU’s data retention Directive 2006/24/EC, the court said that:

91. EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the CFR must, according to the court’s settled case-law, lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data. The need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data.

92. Furthermore and above all, protection of the fundamental right to respect for private life at EU level requires derogations and limitations in relation to the protection of personal data to apply only in so far as is strictly necessary.

93. In particular, legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the CFR.

Citing earlier case law such as Les VertsvParliament, C-294/83, EU:C:1986:166, Johnston, C-222/84, EU:C:1986:206, Heylens and Others, C-222/86, EU:C:1987:442 and UGT-Rioja and Others, C‑428/06 to C‑434/06, EU:C:2008:488, the court held at para 95 that legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law.

The CJEU ended its judgment by finding that national supervisory authorities are denied their powers under the Safe Harbour Decision where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. It was held at para 103 that the Commission did not have competence to restrict the national supervisory authorities’ powers in that way because implementing power granted by the EU legislature to the Commission in Article 25(6) of Directive 95/46 did not grant it the competence to do so. Declaring the Safe Harbour Decision invalid, the CJEU said:

104. That being so, it must be held that, in adopting Article 3 of Decision 2000/520, the Commission exceeded the power which is conferred upon it in Article 25(6) of Directive 95/46, read in the light of the CFR, and that Article 3 of the decision is therefore invalid.

105. As Articles 1 and 3 of Decision 2000/520 are inseparable from Articles 2 and 4 of that decision and the annexes thereto, their invalidity affects the validity of the decision in its entirety.

106. Having regard to all the foregoing considerations, it is to be concluded that Decision 2000/520 is invalid.

As a consequence of this bombshell judgment the Irish supervisory authority needs to examine Schrems’ complaint with all due diligence and, at the conclusion of its investigation, is to decide whether, pursuant to the directive, transfer of the data of Facebook’s European subscribers to the US should be suspended on the ground that that country does not afford an adequate level of protection of personal data.

Comment

The tech sector is eager to point out that its conduct was not compromised by virtue of the ruling. Facebook, which uses a number other EU avenues outside of Safe Harbour to transfer data to the US, points out that Advocate General Yves Bot said that it has “done nothing wrong.” After all, Mark Zuckerberg announced on the birth of his daughter Maxima that he would give away 99 per cent of his Facebook shares away to “the Chan Zuckerberg Initiative to join people across the world to advance human potential and promote equality for all children in the next generation.”

Microsoft reacted to the decision by saying that the judgment would not significantly affect its services but others such as CA Technologies – which considers free moving data to the lifeblood of the economy – are less dismissive about the effects of the ruling. “The gap between American and European legislation on privacy” is said to be at “breaking point” and the US and the Commission have been working their way towards a safer version of Safe Harbour but the agreement is likely to be agreed on substantially different terms.

After EU privacy laws were downplayed for so long, this judgment will mean that several tech companies will have to change the way they operate. On the other hand, despite the evils of Safe Harbour businesses used it for legitimate reasons such as HR departments storing information for foreign-based staff. US firms dominate the internet and it is cheaper to keep data on US-based servers rather than set up fresh new ones in Europe. According to the Confederation of British Industry, “the ability to transfer data easily and securely between Europe and the US is critical for businesses in our modern data-driven digital economy” and Britain’s leading business group intimated that Europe’s “digital agenda” was at risk. America’s digital data house of cards was shaken up by this judgment and on 20 October 2015 Ireland’s High Court ordered an investigation into Facebook’s transfer of European Union users’ data to the United States, to make sure personal privacy was properly protected.

Similarly, soon after the judgment, the Italian Data Protection Authority, or Garante per la protezione dei dati personali, declared invalid its authorisation of October 10, 2001 for Safe Harbour transfers of data to the US. Similarly, the Agencia Española de Protección de Datos (APED) sent correspondence to all companies operating in Spain that Safe Harbor certifications are no longer recognised as valid. APED advised firms that they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the US. APED set a deadline of 29 January 2016 for confirmation about any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the US. Many other authorities will doubtless do the same.

Immediately after the CJEU’s judgment, Professor Steve Peers said that “the party’s over” and he drew comical parallels with Mummy (the Commission) having thrown out the house rules on the children’s sweets but Daddy (the CJEU) having come home to put his foot down. Although he found the ruling to be a quite a radical departure from the court’s views in Lindqvist, Case C-101/01, ECLI:EU:C:2003:596, he said that the court’s views on the first issue that national authorities should be able to stop data flows to third countries where EU data protection laws were breached was “clearly the correct result”. However, he found that although some important points were addressed, “an enormous number of issues” were left open and the mess from “this particular poorly supervised party” will not be easy to clean up. Professor Peers felt let down by the CJEU’s discussion of the architecture of the data protection rules and lamented:

It’s unfortunate that the Court did not consider the alternative route of the national DPA calling on the Commission to amend its decision, and bringing a ‘failure to act’ proceeding directly in the EU courts if it did not do so. In the medium term, it would be better for the future so-called ‘one-stop shop’ system under the new data protection Regulation (see discussion here) to address this issue, and provide for a centralised process of challenging the Commission directly.

Notably, the eclectic politician David Davis attributes post-Snowden events, with a natural affinity to this case, such as the Draft Investigatory Powers Bill (or “the snoopers’ charter”) and the public’s indifference to it as a symptom of Britain’s false sense of confidence (“a wonderful illusion”) in the security services.

Draw together all of the powers already available to law enforcement and the security and intelligence agencies to obtain communications and data about communications. It will make these powers – and the safeguards that apply to them – clear and understandable.

Radically overhaul the way these powers are authorised and overseen. Introduce a “double-lock” for interception warrants, so that, following Secretary of State authorisation, these – and other warrants – cannot come into force until they have been approved by a judge. And it will create a powerful new Investigatory Powers Commissioner (IPC) to oversee how these powers are used.

Make sure powers are fit for the digital age. The draft bill will make provision for the retention of internet connection records (ICRs) in order for law enforcement to identify the communications service to which a device has connected. This will restore capabilities that have been lost as a result of changes in the way people communicate.

For Tom Hickman, “the intrusive powers that Parliament is being asked to endorse are mindboggling” but despite expressing a plethora of concerns he finds that “the bill must be welcomed”. Of course the absence of Stasi or Gestapo-like state agents makes the British “lazy about surveillance” and Davis, who opines we are “too comfortable” because of history, has argued that “elsewhere people are holding their government’s feet to the fire on these issues, but in Britain we idly let this happen.” In the event the bill become law it will supersede most of the Regulation of Investigatory Powers Act 2000 (described as “incomprehensible” by David Anderson QC), and shall repeal the Data Retention and Investigatory Powers Act 2014.

Mass snooping has been a regular feature of British life but the lengthy bill is the first comprehensive British surveillance law in the digital age and it deals with the interception, acquisition, retention and disclosure of communications data but the thrust of the bill targets user history and demands the blanket retention of all websites visited by British citizens for a period of 12 months. The controversial bill, which would make even the likes of George Orwell shudder, allows police and security services to access every UK citizen’s internet records without judicial authorisation. But to obtain the content of communications, the authorities will require the permission of the Home Secretary and the quasi-judicial permission of a panel of judicial commissioners.

In the aftermath of the terrorist attacks in Paris on 13 November 2015 which left 130 dead and hundreds injured, calls for fast-tracking the bill have been voiced and perhaps the illusion Davis speaks of is less wonderful than he contends. However, the CEO of the US computer manufacturer, Michael Dell, is of the view that the bill, which compels tech firms and service providers to decrypt communications if so required under a warrant, is a “horrible idea” and that “all of the technical experts pretty much agree on this.”

Spearheading the campaign for Silicon Valley, Apple has written a report to Parliament stating that the demands in the bill will “immobilise substantial portions of the tech sector and spark serious international conflicts”. It also said that the proposed legislation set a poor example and China and Russia will follow suit to clamp down on common freedoms. Yet Mrs May argues otherwise by insisting that the bill has the “strongest safeguards and protections anywhere in the democratic world and an approach that sets new standards for openness, transparency and oversight.” As noted above a “double lock” mechanism for the use of interception warrants means that security agencies will only have the right to access phone call, email, social media content after getting approval from the Mrs May and a senior judge. As for Edward Snowden, well, bill or no bill, he is clear that GCHQ is a “subsidiary” of the NSA and that as smartphone users we can do “very little” to prevent the security services’ Smurfs from getting “total control” over our devices!

The European Court of Justice ruled in October 2015 that its ‘safe harbour’ agreement with the US, that allowed the transfer of EU citizens’ data to the US, is no longer valid because it does not adequately protect consumers. This decision was made in the wake of the Edward Snowden revelations regarding mass surveillance by the US government of personal data held in the US. Now this agreement has been considered invalid, US companies can no longer rely on self-certification and must find another means to guarantee an adequate level of protection.

Companies most likely to be affected are those which use US-based cloud services to store or process their personal data. They will need to consider other options, such as seeking consent from data subjects, using BCRs (binding corporate rules) for intra-group transfers or getting the US cloud providers to sign up to EU approved ‘model’ contract clauses (which guarantee an adequate level of protection).

As a result of this ruling, businesses that are transferring personal data to the US could find themselves in breach of the 8th principle of the Data Protection Act 1998. This could lead to investigation by the Information Commissioner, fines and unwanted media attention. In order to reduce the risks posed by this we advise you to:

Carry out an assessment of what personal data you transfer to the US (through the Safe Harbour arrangement). Do not forget to check the location of any subcontractors that your suppliers use in the background!

Assess and put in place the most suitable alternative to Safe Harbour; and

For sensitive data, use encryption if possible when transferring personal data to the US as this anonymises the data which means it is not caught by the legislation.

European and U.S. officials are rushing to finalize a key data transfer pact days before a meeting of EU regulators who are poised to start restricting transatlantic flows of personal data used by firms in the billion dollar online advertising industry.

A new deal is crucial for the many thousands of businesses that until late last year relied on “Safe Harbour”, a framework which protected Europeans’ data moving to the United States, when it was struck down by an EU court over concerns about U.S. Internet surveillance.

European Union data protection law says companies cannot transfer EU citizens’ personal data to countries outside the bloc deemed to have insufficient privacy safeguards — like the United States.

Revelations of mass U.S. surveillance programs in 2013 prompted the European Commission to demand that Safe Harbour, which helped over 4,000 companies avoid cumbersome EU data transferral rules, be strengthened.

Since the Oct. 6 ruling companies have been in legal limbo. While they can set up alternative legal structures to transfer data to the United States, these have been called into question by the EU’s data protection regulators.

The regulators meet in Brussels on Feb. 2-3 to decide whether they should restrict the use of alternative measures as well, such as binding corporate rules and model clauses between companies, causing particular panic in the technology world where companies such as Facebook and Google rely on moving and analyzing reams of users’ data to sell targeted advertising.

“I do think that we can reach an agreement before February 2,” said Robert Litt, general counsel for the U.S. Director of National Intelligence at a briefing with reporters on Friday.

U.S. officials met a group of EU data protection authorities on Tuesday to discuss the future of Safe Harbour, said a spokeswoman for the French regulator, which chairs the group.

One person familiar with the matter said U.S. ideas for improving oversight of the new data transfer framework – such as creating an “ombudsman” – could change the authorities’ view of U.S. rules governing its surveillance practices.

However, the two sides are still at odds over the powers of the new office, whose role would be to respond to complaints from EU citizens and data protection authorities over U.S. surveillance practices.

Max Schrems, the Austrian law student whose complaints against Facebook in Ireland led to Safe Harbor being ruled invalid, sent a letter to European data protection authorities late Thursday urging them to reject claims that U.S. protections against surveillance are “essentially equivalent” to those found in Europe.

“Attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgment of the Union’s highest court are fundamentally flawed,” Schrems wrote.

The European Commission is pushing for the ombudsman to have the authority to make findings about U.S. surveillance as opposed to just fielding complaints, according to one person familiar with the talks.

Another issue is agreeing on the role European data protection authorities should play in ensuring companies abide by the privacy principles in the new data transfer agreement.

The U.S. Federal Trade Commission, responsible for enforcing privacy laws in the United States, does not have to take up each individual complaint, something that is required by the European Court of Justice in its Oct. 6 ruling.

“Ultimately the DPAs are going to have to be involved,” said Julie Brill, U.S. Federal Trade Commissioner, at a conference in Brussels on Thursday.

Negotiators hope to reach a deal by Monday, when the European Commission will inform the European Parliament and member states.

That will enable the Commission to present the new framework to EU data protection regulators at the meeting on Tuesday, said Paul Nemitz, European Commission Director for Fundamental Rights.

Disclaimer

The analysis and commentary on the law on this weblog is provided free of charge for information purposes only. All reasonable steps are taken to make the information and commentary accurate and up to date at the date each item is published, but no responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed or accepted by its author. The pages, information, and commentary do not, and are not intended to, amount to providing legal advice to any person on any case or matter. You are strongly advised to obtain case specific, personal advice from a qualified lawyer about your case(s) or matter(s) and not to rely on the information or comments on this site for the purposes of your legal situation(s).